Data Processing Agreement

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller for the duration of the service agreement and as necessary to provide the Services. The subject matter of the processing is the provision of Aimable's AI platform services, including but not limited to:

• Processing of documents and data uploaded by the Controller
• AI-powered analysis and responses based on Controller's data
• PII detection and redaction services
• Storage and retrieval of Controller's data within the platform

3. Nature and Purpose of Processing

The Processor processes Personal Data solely to provide the Services as instructed by the Controller. This includes processing necessary for the operation of the AI platform, document analysis, secure data storage, and any other processing required to deliver the contracted Services.

4. Types of Personal Data

The types of Personal Data processed depend on the Controller's use of the Services and may include:

• Contact information (names, email addresses, phone numbers)
• Professional information (job titles, company names)
• Content of documents uploaded to the platform
• User queries and interactions with the AI system
• Any other Personal Data contained in materials uploaded by the Controller

5. Categories of Data Subjects

Data Subjects may include:

• Controller's employees and contractors
• Controller's customers and clients
• Controller's business partners and suppliers
• Any other individuals whose data is contained in materials processed through the Services

6. Obligations of the Processor

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law
• Ensure that persons authorised to process Personal Data have committed to confidentiality
• Implement appropriate technical and organisational security measures
• Respect the conditions for engaging Sub-processors as set out in this DPA
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return all Personal Data upon termination of the Services, at the Controller's choice
• Make available all information necessary to demonstrate compliance with this DPA

7. Obligations of the Controller

The Controller agrees to:

• Ensure that the processing of Personal Data is lawful and that appropriate legal bases exist
• Provide clear and documented instructions for Processing
• Ensure Data Subjects have been informed about the processing in accordance with applicable law
• Comply with all applicable data protection laws in relation to the Personal Data

8. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall:

• Maintain an up-to-date list of Sub-processors, available upon request
• Inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object
• Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
• Remain fully liable for the acts and omissions of its Sub-processors

9. International Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless:

• The transfer is to a country deemed adequate by the European Commission
• Appropriate safeguards are in place, such as Standard Contractual Clauses
• The Controller has provided prior written consent

Aimable's infrastructure is hosted within the European Union to ensure data sovereignty and compliance with EU data protection requirements.

10. Security Measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee security training and confidentiality agreements
• Incident response and business continuity procedures
• PII detection and automatic redaction capabilities

11. Data Breach Notification

In the event of a Data Breach, the Processor shall:

• Notify the Controller without undue delay after becoming aware of the breach
• Provide sufficient information to enable the Controller to meet its notification obligations
• Cooperate with the Controller in investigating and mitigating the breach
• Document the breach and remedial actions taken

12. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly notify the Controller of any request received directly from a Data Subject.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

14. Data Retention and Deletion

Upon termination of the Services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless EU or Member State law requires storage of the Personal Data. The Controller may request a certificate of deletion.

15. Contact

For questions about this Data Processing Agreement or to exercise any rights, please contact: