Data Processing Agreement (DPA)

1. Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Regulatory AI ("Processor") and governs the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR).

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Controller: The entity that determines the purposes and means of processing
• Processor: The entity that processes personal data on behalf of the Controller

3. Processing Details

Subject Matter and Duration

Processing of personal data necessary to provide AI governance and compliance assessment services for the duration of the service agreement.

Nature and Purpose

Processing includes:

• AI system risk assessments
• Maturity evaluations
• Compliance reporting
• Account management and support

Categories of Personal Data

• Contact information (names, email addresses)
• Professional information (job titles, company names)
• Assessment responses and organizational data
• Usage and analytics data

Categories of Data Subjects

• Customer employees and representatives
• End users of customer AI systems (metadata only)

4. Processor Obligations

Regulatory AI commits to:

• Process personal data only on documented instructions from the Controller
• Ensure confidentiality of processing through binding agreements
• Implement appropriate technical and organizational security measures
• Assist with data subject rights requests
• Assist with impact assessments and consultations with supervisory authorities
• Delete or return personal data at the end of processing
• Provide information necessary to demonstrate compliance

5. Security Measures

Technical Measures

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Multi-factor authentication
• Regular security testing and vulnerability assessments

Organizational Measures

• Role-based access controls
• Background checks for personnel with data access
• Regular security training
• Incident response procedures
• Audit logging and monitoring

6. Sub-processors

We may engage the following sub-processors:

• Amazon Web Services (AWS): Cloud infrastructure (EU regions)
• Stripe: Payment processing
• SendGrid: Email delivery

We will provide 30 days notice of any changes to sub-processors.

7. International Transfers

Personal data is processed within the EEA. Any transfers to third countries are protected by:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Appropriate safeguards as approved by supervisory authorities

8. Data Subject Rights

We will assist you in responding to data subject requests for:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data
• Data portability
• Restriction of processing

9. Personal Data Breaches

We will notify you without undue delay (within 24 hours) of any personal data breach and provide:

• Description of the breach
• Categories and number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Audits and Inspections

You have the right to conduct audits and inspections of our data processing activities. We will provide reasonable assistance and make relevant documentation available.

11. Data Deletion

Upon termination of services, we will:

• Delete all personal data within 90 days
• Provide certification of deletion upon request
• Retain data only as required by law

12. Contact Information

For DPA-related matters:

• Data Protection Officer: dpo@regulatory-ai.com
• Legal Team: legal@regulatory-ai.com