Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• The Customer (acting as "Controller" under UK GDPR) — the entity that has signed up for an AI-Assist for SMEs subscription.
• AI ASSIST SMES LTD (acting as "Processor" under UK GDPR), a company registered in England & Wales (Company No. 17118425; ICO Registration ZC106782; registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ).

2. Definitions

Terms defined in UK GDPR (including "Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Sub-processor") bear the same meanings here. "Services" means the AI-Assist for SMEs platform, including the AI chatbot, CRM, email sequences, automations, booking, integrations, and analytics features.

3. Subject matter and duration

The Processor processes Personal Data solely on the documented instructions of the Controller, for the duration of the subscription, plus any retention period specified in Section 9 below.

4. Nature and purpose of processing

Processing is for the purpose of providing the Services to the Controller, including: storing and managing customer leads, conducting AI-powered chatbot conversations, sending transactional and marketing communications on the Controller's behalf, scheduling appointments, processing payments, and generating analytics.

5. Categories of Personal Data

The Personal Data processed may include: name, email address, phone number, IP address, conversation transcripts, appointment details, payment details (handled by Stripe), and any other data the Controller chooses to upload to the Services.

6. Categories of Data Subjects

Data Subjects include: the Controller's end customers, prospects, leads, employees, and any other individuals whose data the Controller chooses to process via the Services.

7. Processor obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller (i.e. the use of the Services).
• Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures (see Annex 2) to ensure a level of security appropriate to the risk.
• Engage Sub-processors only with the Controller's prior general authorisation (see Annex 3) and impose the same data protection obligations on each.
• Assist the Controller in fulfilling Data Subject rights requests (access, rectification, erasure, portability, restriction, objection).
• Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting the Controller's data.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
• At the Controller's choice, delete or return all Personal Data after the end of the provision of Services (subject to retention required by law — see Section 9).

8. Sub-processors

The Controller authorises the Processor to engage the Sub-processors listed in Annex 3. The Processor will give 30 days' notice of any new or replacement Sub-processor; the Controller may object on reasonable grounds.

9. Retention and deletion

Personal Data is retained for the duration of the subscription. Upon termination, data is retained for 30 days (to allow for accidental cancellation or reactivation), after which it is permanently deleted. The Controller may request earlier deletion at any time. Backups are purged within 35 days of deletion.

10. International transfers

Personal Data is primarily stored in the EU (Frankfurt, Germany). Where transfers to non-EEA countries are necessary (e.g. to Sub-processors in the US), the Processor relies on UK ICO-approved Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the underlying Terms of Service. Nothing in this DPA limits liability that cannot be excluded or limited under applicable law.

12. Governing law

This DPA is governed by the laws of England and Wales. Any disputes are subject to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 — Description of processing

• Subject matter: Provision of the AI-Assist for SMEs platform.
• Duration: For the term of the subscription, plus 30-day post-termination retention.
• Nature and purpose: See Section 4.
• Type of Personal Data: See Section 5.
• Categories of Data Subjects: See Section 6.

Annex 2 — Technical and organisational measures

A summary is published at /security. Key measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row Level Security at the database layer
• Strict role hierarchy with audit logging on every privileged action
• 10-character minimum passwords with HaveIBeenPwned check
• Rate limiting on authentication endpoints
• 72-hour breach notification commitment
• EU-region database hosting

Annex 3 — Authorised Sub-processors

The current list of Sub-processors is published and maintained at /data-processing. As of the date of this DPA, the Sub-processors are: Vercel (hosting), Supabase (database), Anthropic (AI processing), Stripe (payments), Resend (email), Google Calendar (optional integration), Zoom (optional integration).