Data Processing Agreement (DPA) – AIVE.com

Last updated: April 2025

1. Purpose

This Data Processing Agreement ('DPA') sets out the conditions under which the SaaS platform provider processes personal data on behalf of the professional Client in connection with the use of its services.

2. Scope

This DPA applies to all personal data processing carried out during the Client’s use of the platform, in accordance with the General Terms and Conditions of Sale.

3. Roles and Responsibilities

The Client is the data controller. The platform acts as a processor and agrees to process data only on documented instructions from the Client and not for its own purposes.

4. Data Processed

Data categories include, without limitation: login credentials, technical metadata, uploaded content, video, audio, text, and images, strictly as necessary to provide the service. No sensitive data is expected or required.

5. Processing Purposes

Data is processed for the purposes of providing the subscribed services, ensuring proper functioning of the platform, generating content, enabling customization, and ensuring security.

6. Hosting and Subprocessors

Data is exclusively hosted within the European Union. Any onward subcontracting is subject to prior Client approval, except for technical subprocessors listed in the published Security Policy.

7. Data Retention

Data is retained for the contract term and deleted within 30 days of termination, unless legal obligations or explicit Client requests require earlier extraction or restitution.

8. Security Measures

The platform implements appropriate technical and organizational security measures including: access control, encryption (AES 256), monitoring, internal audits, 2FA, incident response policy, and business continuity planning. These comply with ISO 27001 and NIST 800-53/800-86 standards.

9. Data Breach

In the event of a data breach, the processor shall notify the Client as soon as possible and assist with investigation, documentation, and any required regulatory notifications.

10. Data Subjects' Rights

The processor assists the Client in responding to data subject requests (access, rectification, erasure, portability), within technical constraints.

11. Documentation and Audits

The processor maintains documentation demonstrating compliance and accepts reasonable audits upon 15 business days' notice, limited to one per year unless otherwise required.

12. Confidentiality

Processor personnel with access to data are bound by strict confidentiality. Regular training and compliance checks are conducted under the HR Security Policy.

13. End of Contract

At contract end, data is securely deleted or returned upon Client request. Absent a request within 30 days, data is permanently erased unless retention is legally required.

14. Acceptance Without Signature

This DPA is deemed implicitly accepted if:
i) attached to an invoice or purchase order;
ii) published on the platform’s website; or
iii) shared by email without written objection within 10 business days.
It is enforceable without formal signature.

15. Contact

For any request relating to personal data or this DPA, the Client may contact: dpo@aive.com