Back to Home

Data Processing Agreement

GDPR compliance for AI automation

This Data Processing Agreement (DPA) forms part of the Terms of Service and governs how we process personal data on your behalf. It is designed to comply with GDPR requirements.

GDPR Compliant

DPA Contents

Parties to the AgreementScope and Nature of ProcessingSecurity MeasuresInternational Data TransfersData Retention and DeletionCustomer Rights and Requests

Parties to the Agreement

Data Controller

You (the Customer) are the Data Controller for personal data processed through the AI Civilization platform. You determine the purposes and means of processing personal data.

Data Processor

AI Civilization acts as the Data Processor on behalf of the Customer. We process personal data only according to your documented instructions and for the purposes specified in this Agreement.

Sub-processors

We engage sub-processors for specific services. Current sub-processors are listed in our Sub-processor Register. We will notify you of any changes with at least 30 days notice.

Scope and Nature of Processing

Types of Data Processed

We may process the following categories of personal data: account credentials, user identifiers, usage logs, content uploaded by users, AI interaction data, and billing information.

Processing Activities

Processing activities include: storage, analysis, AI model inference, automated decision-making (with human oversight), data transformation, backup, and security monitoring.

Categories of Data Subjects

Personal data may relate to your employees, contractors, customers, and end-users who interact with your AI automation deployments.

Security Measures

Technical Measures

We implement encryption at rest (AES-256) and in transit (TLS 1.3), pseudonymization where applicable, regular security testing, access controls, and secure development practices.

Organizational Measures

Our organizational measures include: confidentiality agreements, access management policies, security awareness training, incident response procedures, and regular third-party audits.

Certification

Our security program is certified to ISO 27001 and SOC 2 Type II standards. Audit reports are available upon request under NDA.

International Data Transfers

Standard Contractual Clauses

For transfers outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. The appropriate module will be selected based on transfer type.

Transfer Impact Assessments

We conduct transfer impact assessments for each destination country to ensure appropriate supplementary measures are in place where required.

UK and Swiss Transfer

For UK transfers, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs. Swiss transfers are governed by the Swiss SCCs.

Data Retention and Deletion

Retention Periods

We retain personal data only for as long as necessary to provide services and comply with legal obligations. Upon termination, we will delete or return your data within 30 days.

Deletion Procedures

Deletion is performed using secure data wiping methods in accordance with NIST SP 800-88 guidelines. Deletion certificates are available upon request.

Backup Retention

Backup data is retained for up to 90 days for disaster recovery purposes. Backups are encrypted and stored in a separate geographic region.

Customer Rights and Requests

Cooperation Obligations

We will assist you in responding to data subject requests, including access, rectification, erasure, and portability requests, within agreed timeframes.

Data Subject Access

We provide tools for you to fulfill data subject access requests. For technical assistance, contact our support team within 5 business days of receiving a request.

Portability Support

We support data portability by providing exports in machine-readable formats (JSON, CSV) through your dashboard or API.

Key Obligations

Customer Obligations

  • Provide lawful instructions for processing
  • Ensure lawful basis for processing personal data
  • Inform us of any data subject requests received
  • Provide necessary information to data subjects
  • Conduct DPIAs where required

Processor Obligations

  • Process data only on documented instructions
  • Ensure confidentiality obligations for personnel
  • Implement appropriate security measures
  • Notify customer of personal data breaches within 72 hours
  • Delete or return data upon termination

Sub-processors

We currently use the following sub-processors to deliver our services. We will notify you of any changes at least 30 days in advance.

NamePurposeLocation
Amazon Web ServicesCloud InfrastructureUS, EU
StripePayment ProcessingUS
TwilioCommunication ServicesUS, EU
DatadogMonitoring & AnalyticsUS, EU

For a complete and current list of sub-processors, contact dpo@aicivilization.com

Breach Notification Procedure

In the event of a personal data breach affecting your data, we will:

72 hours

Notify you of the breach including breach details, categories of data, and remediation steps

Immediate

Isolate affected systems and implement containment measures

Ongoing

Provide regular updates during investigation and remediation

Post-incident

Deliver root cause analysis and prevention measures report

Sign the DPA

To execute this Data Processing Agreement or request our Standard Contractual Clauses, please contact our Data Protection Team:

Data Protection Officer

dpo@aicivilization.com

Legal Team

legal@aicivilization.com

View related legal documents:

Privacy PolicyTerms of ServiceSecurity