Compliance: GDPR & CCPA Aligned

Data Processing Agreement.

This agreement (DPA) sets out the legal framework for how AI Automation Services Agency processes Personal Data on behalf of the Client. It ensures transparency, security, and accountability.

1. Definitions

For the purposes of this DPA:

"Controller": The Client (You), who determines the purpose and means of processing personal data.
"Processor": The Agency (Us), who processes data on behalf of the Controller.
"Personal Data": Any information relating to an identified or identifiable natural person (e.g., names, emails in CRM).

2. Roles & Responsibilities

The Agency shall process Personal Data only on documented instructions from the Client (the "Master Services Agreement"). We will not use Client Data for our own marketing or algorithm training purposes without consent.

3. Nature of AI Processing

Our AI services involve specific data processing activities:

LLM Inference: Sending text prompts to Large Language Models to generate responses.
Vectorization: Converting text into mathematical vectors for semantic search (RAG).
Automation: Triggering APIs based on intent classification.

4. Technical & Security Measures

We implement the following technical controls to protect data confidentiality:

Encryption: AES-256 (At Rest) & TLS 1.3 (In Transit).

Secrets: API Keys managed via Vaults (Doppler/AWS KMS).

Access: Role-Based Access Control (RBAC) & MFA.

5. Authorized Sub-processors

The Client authorizes the engagement of the following sub-processors to deliver the Service. We have signed DPAs with each ensuring they meet Enterprise Security standards.

Sub-processor	Service Function	Location
OpenAI, LLC	LLM Inference (API)	USA
Amazon Web Services	Cloud Infrastructure	USA / EU
Pinecone Systems	Vector Database	USA (Virginia)
Vercel Inc.	Frontend Hosting	Global CDN

6. Data Breach Notification

In the event of a Personal Data Breach, we adhere to a strict notification timeline:

24-Hour Notification Window

We will notify the Client without undue delay (and in no case later than 24 hours) after becoming aware of a security incident affecting their data.

7. Audit Rights

Upon written request (maximum once per year), the Client may conduct an audit of our compliance with this DPA. We will provide all necessary information, including SOC2 reports (if available) or security questionnaires, to demonstrate compliance.

Download Signed DPA Copy
Request PDF via Email →