Last updated: April 2025
This Data Processing Agreement ('DPA') sets out the conditions under which the SaaS platform provider processes personal data on behalf of the professional Client in connection with the use of its services.
This DPA applies to all personal data processing carried out during the Client’s use of the platform, in accordance with the General Terms and Conditions of Sale.
The Client is the data controller. The platform acts as a processor and agrees to process data only on documented instructions from the Client and not for its own purposes.
Data categories include, without limitation: login credentials, technical metadata, uploaded content, video, audio, text, and images, strictly as necessary to provide the service. No sensitive data is expected or required.
Data is processed for the purposes of providing the subscribed services, ensuring proper functioning of the platform, generating content, enabling customization, and ensuring security.
Data is exclusively hosted within the European Union. Any onward subcontracting is subject to prior Client approval, except for technical subprocessors listed in the published Security Policy.
Data is retained for the contract term and deleted within 30 days of termination, unless legal obligations or explicit Client requests require earlier extraction or restitution.
The platform implements appropriate technical and organizational security measures including: access control, encryption (AES 256), monitoring, internal audits, 2FA, incident response policy, and business continuity planning. These comply with ISO 27001 and NIST 800-53/800-86 standards.
In the event of a data breach, the processor shall notify the Client as soon as possible and assist with investigation, documentation, and any required regulatory notifications.
The processor assists the Client in responding to data subject requests (access, rectification, erasure, portability), within technical constraints.
The processor maintains documentation demonstrating compliance and accepts reasonable audits upon 15 business days' notice, limited to one per year unless otherwise required.
Processor personnel with access to data are bound by strict confidentiality. Regular training and compliance checks are conducted under the HR Security Policy.
At contract end, data is securely deleted or returned upon Client request. Absent a request within 30 days, data is permanently erased unless retention is legally required.
This DPA is deemed implicitly accepted if:
i) attached to an invoice or purchase order;
ii) published on the platform’s website; or
iii) shared by email without written objection within 10 business days.
It is enforceable without formal signature.
For any request relating to personal data or this DPA, the Client may contact: dpo@aive.com