Data Processing Agreement (DPA)

1. Parties and Roles

This DPA forms part of the Terms of Service between you (the “Controller”) and Aidly (the “Processor”) and governs our processing of personal data on your behalf in connection with the Service.

2. Subject Matter and Duration

Subject matter: processing of personal data in customer messages and related metadata for the provision of the Service. Duration: for the term of your subscription and a reasonable period thereafter for backups, logs, and legal obligations.

3. Nature and Purpose of Processing

• Receiving, storing, encrypting, triaging, and transmitting messages.
• Generating AI‑assisted classifications and reply drafts as configured by the Controller.
• Sending outbound transactional emails and maintaining operational records.

4. Categories of Data Subjects and Data

• Data subjects: Controller’s end customers, agents, and authorized users.
• Personal data: names, email addresses, message content, and operational metadata provided by Controller.
• Sensitive data: Controller must not submit special categories of data unless expressly agreed with additional safeguards.

5. Instructions

We will process personal data only on documented instructions from the Controller, including via the Terms and your settings (e.g., configured AI providers), unless required by law. We will promptly inform you if an instruction infringes applicable law (where legally permitted).

6. Confidentiality

We ensure persons authorized to process personal data are bound by confidentiality obligations and receive appropriate training.

7. Security

We implement appropriate technical and organizational measures, including encryption in transit and at rest for sensitive fields, access controls, and monitoring, designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8. Subprocessors

We may engage subprocessors to support the Service. A current list is available at /subprocessors. We impose data protection obligations on subprocessors equivalent to those herein and remain responsible for their performance.

9. International Transfers

Where personal data is transferred outside the EEA/UK to a country not deemed adequate, we implement appropriate safeguards such as Standard Contractual Clauses and additional measures as needed.

10. Assistance

• We will assist the Controller in responding to data subject requests under GDPR.
• We will provide reasonable assistance with DPIAs and consultations with supervisory authorities where required.

11. Personal Data Breach

We will notify the Controller without undue delay upon becoming aware of a personal data breach affecting personal data we process for the Controller, and provide information reasonably required to meet the Controller’s obligations.

12. Audits

Upon reasonable notice, we will make available information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to confidentiality and reasonable limitations to protect the security and integrity of the Service.

13. Return or Deletion

Upon termination of the Service, at the Controller’s choice and subject to legal obligations, we will delete or return personal data and delete existing copies within a reasonable period from backups and logs.

14. Liability

Liability is as set forth in the Terms. Nothing in this DPA limits rights or remedies available to data subjects under applicable law.

15. Contact

Questions about this DPA? Contact legal@aidly.me.