Data Processing Agreement (DPA)
Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Acuda AI ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of the Acuda AI platform services ("Services"), as described in the Terms of Service.
This DPA ensures compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and the Data Protection Act 2018.
1. Definitions
- "Applicable Data Protection Law" means the GDPR, UK GDPR, Data Protection Act 2018, ePrivacy Directive, and any other applicable data protection legislation.
- "Controller" means the customer who determines the purposes and means of processing Personal Data through the Services.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Personal Data" means any information relating to a Data Subject processed by the Processor on behalf of the Controller.
- "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
2.1 Nature and Purpose
Personal Data is processed for:
- Providing AI avatar conversation services
- Storing conversation history for the Controller's reference
- Processing knowledge base documents uploaded by the Controller
- User authentication and account management
- Voice processing (if voice features are enabled)
2.2 Types of Personal Data
Categories include: names and contact information, conversation content, knowledge base document content, usage data, voice data, and any other Personal Data input into the Services.
2.3 Categories of Data Subjects
Data Subjects may include the Controller's employees, customers, clients, and end-users.
2.4 Duration
Processing continues for the duration of the Services agreement. Upon termination, Section 11 applies.
3. Obligations of the Controller
The Controller shall:
- Ensure a lawful basis for processing, including obtaining necessary consents
- Provide appropriate notices to Data Subjects, including that AI is used
- Ensure instructions to the Processor comply with Applicable Data Protection Law
- Be responsible for the accuracy, quality, and legality of Personal Data provided
- Comply with EU AI Act obligations where applicable
- Not upload special category data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR) without prior written agreement
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorised to process Personal Data are bound by confidentiality
- Implement appropriate technical and organisational security measures (see Annex B)
- Engage Sub-processors only in accordance with Section 6
- Assist the Controller in responding to Data Subject rights requests
- Assist with security, breach notification, DPIAs, and prior consultation obligations (Articles 32-36 GDPR)
- Delete or return all Personal Data upon termination, at the Controller's choice
- Make available information necessary to demonstrate compliance and allow for audits
- Immediately inform the Controller if an instruction infringes Applicable Data Protection Law
5. Security Measures
The Processor implements and maintains technical and organisational security measures including:
- Encryption in transit (TLS 1.2+) and at rest
- Access control mechanisms with role-based permissions
- Multi-factor authentication for administrative access
- Regular security assessments and vulnerability management
- Incident detection and response procedures
- Employee security awareness training
- Backup and recovery procedures
- Logging and monitoring of access to Personal Data
6. Sub-processors
6.1 Authorised Sub-processors
The Controller provides general authorisation for the Sub-processors listed in Annex A below.
6.2 Obligations
The Processor enters into written agreements with each Sub-processor imposing data protection obligations no less protective than this DPA, and remains fully liable for each Sub-processor's performance.
6.3 Changes
The Processor will notify the Controller at least 30 days before engaging a new Sub-processor. The Controller may object on reasonable data protection grounds. If the objection cannot be accommodated, either party may terminate upon 30 days' written notice.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling obligations to respond to Data Subject requests under Articles 15-22 GDPR (access, rectification, erasure, restriction, portability, objection). If the Processor receives a request directly, it will redirect the Data Subject to the Controller and notify the Controller.
8. Personal Data Breach
The Processor will notify the Controller without undue delay (within 48 hours) of becoming aware of a Personal Data Breach, providing: a description of the breach, likely consequences, and measures taken or proposed. The Processor will cooperate in investigating and remediating the breach and maintain a record of all breaches.
9. Audits
The Processor will make available information necessary to demonstrate compliance. The Controller may conduct an audit with 30 days' notice, reasonable scope, no more than once per 12-month period (unless required by a supervisory authority or following a breach). The Processor may satisfy audit requests by providing third-party audit reports, written responses, or evidence of security measures.
10. International Data Transfers
For transfers to countries without an adequacy decision, the Processor ensures appropriate safeguards including Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), and EU-US Data Privacy Framework certification where applicable. The Processor has conducted Transfer Impact Assessments for each Sub-processor outside the EEA.
11. Term and Termination
This DPA remains in effect for the duration of the Services agreement. Upon termination, the Processor will delete or return all Personal Data within 30 days (at the Controller's choice), unless retention is required by law. The Controller may request a data export before termination. Written confirmation of deletion is available upon request.
12. Liability
Liability under this DPA is subject to the limitations in the Terms of Service, except where such limitation would be prohibited by Applicable Data Protection Law.
13. Governing Law
This DPA is governed by the laws of Ireland. For UK Data Subjects, the UK GDPR and Data Protection Act 2018 apply to the extent of any conflict.
Annex A — Sub-processors
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Anthropic (Claude API) | AI model processing | United States | EU-US DPF / SCCs |
| OpenAI (GPT API) | Supplementary AI processing | United States | EU-US DPF / SCCs |
| Supabase | Database hosting and authentication | United States / EU | SCCs |
| Vercel | Website hosting and serverless functions | Global (edge) | SCCs |
| Stripe | Payment processing | United States | EU-US DPF / SCCs |
| Pinecone | Vector database for document search | United States | SCCs |
| ElevenLabs | Voice synthesis and processing | United States / EU | SCCs |
| Resend | Email delivery | United States | SCCs |
Annex B — Technical and Organisational Security Measures
1. Access Control
Role-based access controls (RBAC), multi-factor authentication for administrative access, principle of least privilege, regular access reviews.
2. Encryption
Data encrypted in transit using TLS 1.2+. Data encrypted at rest using AES-256 or equivalent. Regular key rotation.
3. Network Security
Firewalls and network segmentation, DDoS protection, regular vulnerability scanning, secure API endpoints with rate limiting.
4. Data Management
Regular automated backups with encryption, data retention policies enforced programmatically, secure deletion procedures.
5. Incident Management
Documented incident response plan, 48-hour breach notification, post-incident review and remediation, incident logging.
6. Personnel
Confidentiality obligations for all staff, data protection training, background checks where legally permitted, access revocation on termination.
7. Physical Security
Hosting infrastructure provided by SOC 2 / ISO 27001 certified providers with physical access controls, environmental controls, and redundant power.
8. Business Continuity
Redundant hosting infrastructure, automated failover, disaster recovery procedures, regular testing of recovery.
Annex C — Details of Processing
| Element | Details |
|---|---|
| Subject matter | Provision of AI-powered avatar and persona services |
| Duration | Duration of the Services agreement |
| Nature of processing | Collection, storage, retrieval, use, transmission, erasure |
| Purpose | AI conversation processing, knowledge base search, account management, voice processing |
| Categories of Personal Data | Names, contact details, conversation content, knowledge base content, usage data, voice data, payment data |
| Categories of Data Subjects | Controller's employees, customers, clients, end-users |
| Special categories | Not intended for processing. Prior written agreement required. |
Contact
Questions about this DPA: privacy@acuda.ai